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Agenda 

•  Background 

•  Exploration  of  each  type  of  insider  crime: 

-  Theft/Modification  of  information  for  financial  gain 

-  Theft  of  information  for  business  advantage 

-  IT  sabotage 

•  Best  practices 

•  Summary 

•  Discussion 
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TRUE  STORY: 

Credit  union  customers  lose  all  access  to  their 
money  from  Friday  night  through  Monday... 


Fired  system  administrator  sabotages  systems 
on  his  way  out 
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TRUE  STORY: 

Financial  institution  discovers  $691  million  in 


losses ... 

Covered  up  for  5  years  by  trusted  employee 
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COULD  THIS  HAPPEN  TO 

YOU? 
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What  is  CERT? 

•  Center  of  Internet  security  expertise 

•  Established  in  1988  by  the  US  Department  of  Defense 
on  the  heels  of  the  Morris  worm  that  created  havoc  on 
the  ARPANET,  the  precursor  to  what  is  the  Internet 
today 

•  Located  in  the  Software  Engineering  Institute  (SEI) 

-  Federally  Funded  Research  &  Development  Center  (FFRDC) 

-  Operated  by  Carnegie  Mellon  University  (Pittsburgh, 
Pennsylvania) 


Software  Engineering  Institute 


CarnegieMellon 
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Definition  of  Malicious  Insider 

From  the  CERT/US  Secret  Service  Insider  Threat 
Study 

Current  or  former  employees  or  contractors  who 

-  intentionally  exceeded  or  misused  an  authorized 
level  of  network,  system  or  data  access  in  a 
manner  that 

-  affected  the  security  of  the  organizations’  data, 
systems,  or  daily  business  operations. 


(4trm>gH‘.\MI<Mi 
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How  bad  is  the  insider  threat? 


Software  Engineering  Institute  CamegieMellon 
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2007  e-Crime  Watch  Survey 

•  CSO  Magazine,  USSS, 

Microsoft  &  CERT  Percentage  of  Participants  Who 

*  671  respondents  Experienced  an  Insider  Incident 
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Most  Common  Insider  Incidents 

Percentage  of  Participants  Who  Experienced 
Specific  Type  of  Insider  Incident 
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Source  of  CERT’s  Insider  Threat  Case  Data 

•  CERT/U.S.  Secret  Service  Insider  Threat  Study 

-  1 50  actual  insider  threat  cases 

-  1996-2002 

•  Carnegie  Mellon  CyLab  MERIT  Project 

-  Approximately  100  insider  threat  cases 

-  Cases  not  included  in  the  CERT/US  Secret  Service  study 

-  Cases  through  2007 

•  Case  data  includes  both  technical  and  behavioral 
information 


MERIT:  Management  and  Education  of  the 
Risk  of  Insider  Threat 
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CyLab  Common  Sense  Guide  Best  Practices 


•  Institute  periodic  enterprise-wide  risk 
assessments. 

•  Institute  periodic  security  awareness 
training  for  all  employees. 

•  Enforce  separation  of  duties  and  least 
privilege. 

•  Implement  strict  password  and  account 
management  policies  and  practices. 

•  Log,  monitor,  and  audit  employee  online 
actions. 

•  Use  extra  caution  with  system 
administrators  and  privileged  users. 


'CERT  Software  Engineering  Institute  Carnegie  Mellon 


•  Actively  defend  against  malicious  code. 


•  Use  layered  defense  against  remote  attacks. 


•  Monitor  and  respond  to  suspicious  or 
disruptive  behavior. 


•  Deactivate  computer  access  following 
termination. 


•  Collect  and  save  data  for  use  in 
investigations. 

•  Implement  secure  backup  and  recovery 
processes. 


•  Clearly  document  insider  threat  controls. 


CyLabT*^  12 

www.cyiab.cmu.edu 
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CERT’s  Insider  Threat  Case  Breakdown 


Theft  of  Modification 
Information  of  Information 


(cert 
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Slightly  Different  Breakdown 


Theft/Modification  Theft  for  Business  IT  Sabotage 
for  Financial  Gain  Advantage 


'CERT 
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Insider  Scenarios 

Scenario  1:  Insider  uses  IT  to  steal  or  modify  information 
for  financial  gain 

Scenario  2:  Insider  uses  IT  to  steal  information  for  business 
advantage 

Scenario  3\  Insider  uses  IT  in  a  way  that  is  intended  to 
cause  harm  to  the  organization  or  an  individual 

Misc\  Cases  that  do  not  fall  in  to  the  above  categories 
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Scenario  1: 


Theft  or  Modification 
of  Information 
for  Financial  Gain 
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Theft  or  Modification  for  Financial  Gain 

•  Who  did  it? 

-  Current  employees 

-  “Low  level”  positions 

-  Gender:  fairly  equal  split 

-  Average  age:  33 

•  What  was  stolen/modified? 

-  Personally  Identifiable  Information  (Pll) 

-  Customer  Information  (Cl) 

-  Very  few  cases  involved  trade  secrets 

•  How  did  they  steal/modify  it? 

-  During  normal  working  hours 

-  Using  authorized  access 
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Dynamics  of  the  Crime 

•  Most  attacks  were  long,  ongoing  schemes 
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Known  Issues 

•  Family  medical  problems 

•  Substance  abuse 

•  Physical  threat  of  outsiders 

•  Financial  difficulties 

•  Financial  compensation  issues 

•  Hostile  work  environment 

•  Problems  with  supervisor 

•  Layoffs 
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A  Closer  Look  at 
THEFT 

for  Financial  Gain 
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Technical  Aspects  -  Theft  for  Financial  Gain 

•  Electronically 

•  Downloaded  to  home 

•  Looked  up  and  used  immediately 

•  Copied 

•  Phone/fax 

•  Email 

•  Malicious  code 


•  Physically 

•  Printouts 

•  Handwritten 


•  Remaining  unknown 
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Organizational  Impacts 
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Theft  for  Financial  Gain 
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Additional  Countermeasures  -  Theft  for  Financial 
Gain 

•  Train  managers  on  social  networking  issues 

•  Provide  Employee  Assistance  Program  or  other  recourse 
for  employees  experiencing  personal  problems 

•  Log,  monitor,  and  audit  for  unusually  large  queries, 
downloads,  print  jobs,  emails 

•  Do  not  overlook  physical  access  controls 

•  Change  passwords  for  all  accounts  upon  termination, 
including  EXTERNAL  accounts! 
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A  Closer  Look  at 
MODIFICA  TION 
for  Financial  Gain 
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Technical  Aspects  -  Modification  for 
Financial  Gain 


'CERT 


Only  Modified 
Data 


Only  Added 
Data 
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Only  Deleted  Combination  of 
Data  Actions 
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Organizational  Impacts  - 
Financial  Gain 
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Modification  for 


<  $25K 


$25  K  to 
$100K 
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Additional  Countermeasures  -  Modification 
for  Financial  Gain 

•  Audit/monitor  for  suspicious  transactions 

•  Train  managers  on  social  networking  issues 

•  Provide  Employee  Assistance  Program  or  other  recourse 
for  employees  experiencing  personal  problems 
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Scenario  2 


Theft  of  Information 
for  Business 
Advantage 
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Theft  For  Business  Advantage 

•  Who  did  it? 

-  Current  employees 

-  Technical  or  sales  positions 

-  All  male 

-  Average  age:  37 

•  What  was  stolen? 

-  Intellectual  Property  (IP) 

-  Customer  Information  (Cl) 


•  How  did  they  steal  it? 

-  During  normal  working  hours 

-  Using  authorized  access 

~  Software  Engineering  Institute  Carnegie  Melien 
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Dynamics  of  the  Crime 

•  Most  were  quick  theft  upon  resignation 

•  Stole  information  to 

-  Take  to  a  new  job 

-  Start  a  new  business 

-  Give  to  a  foreign  company  or  government  organization 

•  Collusion 

-  Collusion  with  at  least  one  insider  in  almost  1/2  of  cases 

-  Outsider  recruited  insider  in  less  than  1/4  of  cases 

-  Acted  alone  in  1/2  of  cases 
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Known  Issues 

•  Disagreement  over  ownership  of  intellectual  property 

•  Financial  compensation  issues 

•  Relocation  issues 

•  Hostile  work  environment 

•  Mergers  &  acquisitions 

•  Company  attempting  to  obtain  venture  capital 

•  Problems  with  supervisor 

•  Passed  over  for  promotion 

•  Layoffs 
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Technical  Aspects  -  Theft  for  Business 
Advantage 

•  In  order  of  prevalence: 

-  Copied/downloaded  information  at  work 

-  Emailed  information  from  work 

-  Accessed  former  employer’s  system 

-  Compromised  account 


•  Many  other  methods 
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Organizational  Impacts  -  Theft  for  Business 
Advantage 


Software  Engineering  Institute  Carnegie  Mellon 
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to  $100K. 
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Additional  Countermeasures  -  Theft  for 
Business  Advantage 

•  Log,  monitor,  and  audit  access  to  critical  information 

•  Enforce  “need  to  know”  access  controls,  including 
encryption 

•  Protect  software  in  development 

•  Prohibit  use  of  personal  computers  for  any  work-related 
activity 
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Scenario  3: 


IT  Sabotage  with 
the  Intent  to  Harm 
Organization  or 
Individual 
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Insider  IT  Sabotage 

•  Who  did  it? 

-  Former  employees 

-  Male 

-  Highly  technical  positions 

-  Age:  17-60 


•  How  did  they  attack? 


-  No  authorized  access 

-  Backdoor  accounts,  shared  accounts,  other 
employees’  accounts,  insider’s  own  account 

-  Many  technically  sophisticated 

-  Remote  access  outside  normal  working  hours 
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Dynamics  of  Insider  IT  Sabotage 

•  Most  insiders  were  disgruntled  due  to  unmet 
expectations 

-  Period  of  heightened  expectations,  followed  by  a 
precipitating  event  triggering  precursors 


•  Behavioral  precursors  were  often  observed  but 
ignored  by  the  organization 

-  Significant  behavioral  precursors  often  came  before 
technical  precursors 


•  Technical  precursors  were  observable,  but  not 
detected  by  the  organization 


Software  Engineering  Institute 
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Known  Issues 

•  Unmet  Expectations 

-  Insufficient  compensation 

-  Lack  of  career  advancement 

-  Inflexible  system  policies 

-  Coworker  relations;  supervisor  demands 

•  Behavioral  precursors 

-  Drug  use;  absence/tardiness 

-  Aggressive  or  violent  behavior;  mood  swings 

-  Used  organization’s  computers  for  personal  business 

-  Sexual  harassment 

38 
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-  Poor  hygiene 
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Technical  Aspects  of  Insider  IT  Sabotage 

•  Insiders  created  or  used  unknown  access  paths 
to  set  up  their  attack  and  conceal  their  identity  or 
actions. 


•  The  majority  attacked  after  termination. 

•  Organizations  failed  to  detect  technical 
precursors 


•  Lack  of  physical  or  electronic  access  controls 
facilitated  the  attack 
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More  About  Access  Paths 

•  Access  path 

-  A  sequence  of  one  or  more  access  points  that  lead  to  a  critical 
system 

An  organization  may  not  know  about  all  of 
the  access  paths  to  its  critical  systems. 


Or 
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Organizational  Impacts  of  IT  Sabotage 


•  Inability  to  conduct  business,  loss  of  customer  records 

•  Inability  to  produce  products 

•  Negative  media  attention 

•  Private  information  forwarded  to  customers,  competitors, 
or  employees 

•  Exposure  of  personal  or  confidential  information 

•  Web  site  defacements 

•  Many  individuals  harmed 
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Additional  Countermeasures  -  IT  Sabotage 

•  Train  management  on  the  patterns  of  behavior  that  could 
indicate  an  IT  sabotage  attack 


Software  Engineering  Institute 


CarnegieMellon 


CyLabT** 

www.cyiab.cmu.edu 


42 


RSACONFERENCE2008 


Miscellaneous: 

Cases  not  in  the  above  scenarios 


Software  Engineering  Institute 


CarnegieMellon 


CyLatr?**- 

www.cyiab.cmu.edu 


43 


RSACONFERENCE2008 


Examples  of  Miscellaneous  Cases 

•  Reading  executive  emails  for  entertainment 

•  Providing  organizational  information  to  lawyers  in  lawsuit 
against  organization  (ideological) 

•  Transmitting  organization’s  IP  to  hacker  groups 

•  Unauthorized  access  to  information  to  locate  a  person  as 
accessory  to  murder 
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Summary 


•  Insider  threat  is  a  problem  that  impacts  and  requires 
understanding  by  everyone 

-  Information  Technology 

-  Information  Security 

-  Human  Resources 


-  Management 

-  Physical  Security 

-  Legal 


•  Use  enterprise  risk  management  for  protection  of  critical 
assets  from  ALL  threats,  including  insiders 


•  Incident  response  plans  should  include  insider  incidents 

•  Create  a  culture  of  security  -  all  employees  have 
responsibility  for  protection  of  organization’s  information 
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Discussion 
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Points  of  Contact 

Insider  Threat  Team  Lead: 

Dawn  M.  Cappelli 

Senior  Member  of  the  Technical  Staff 
CERT  Programs 
Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-3890 
+1  41 2  268-91 36 -Phone 
dmc@cert.org  -  Email 

Business  Development: 

Joseph  McLeod 
Business  Manager 
Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-3890 
+1  41 2  268-6674 -Phone 
+1  412-291-3054 -FAX 
+1  41 2-478-3075 -Mobile 
jmcleod@sei.cmu.edu  -  Email 
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http://www.cert.org/insider_threat/ 
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